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The  Honorable  Norman  E.  D ’Amours 
Chairman 

National  Credit  Union  Administration 
Dear  Mr.  D’Amours: 

On  October  22, 1997,  we  submitted  testimony  to  the  Senate  Subcommittee 
on  Financial  Services  and  Technology,  Committee  on  Banking,  Housing, 
and  Urban  Affairs  on  the  National  Credit  Union  Administration’s  (ncua) 
efforts  to  ensure  that  credit  union  computer  systems  are  ready  for  the 
upcoming  Year  2000  date  change.1  In  our  testimony,  we  reported  that 
while  ncua  had  made  some  progress  in  addressing  Year  2000  compliance 
issues,  more  needed  to  be  done  to  ensure  that  credit  unions  adequately 
mitigate  Year  2000  risks.  This  report  (1)  officially  transmits 
recommendations  to  assist  ncua  in  addressing  the  Year  2000  problem, 

(2)  responds  to  your  comments  on  our  testimony,  and  (3)  recognizes 
actions  ncua  has  taken  in  response  to  our  recommendations.  Our 
testimony,  which  includes  our  objective,  scope,  and  methodology,  and 
findings,  conclusions,  and  recommendations,  is  reprinted  in  appendix  I. 
Your  response  to  our  testimony  is  reprinted  in  appendix  n. 


Recommendations 


As  stated  in  our  October  22, 1997,  testimony,  we  recommend  that  ncua 

accelerate  its  efforts  to  complete  the  assessment  of  the  state  of  the 
industry,  collect  the  necessary  information  to  determine  the  exact  phase 
of  each  credit  union  and  vendor  in  addressing  the  Year  2000  problem,  and 
require  credit  unions  to  report  the  precise  status  (phase)  of  their  efforts  on 
at  least  a  quarterly  basis,  including  progress  in  addressing  system 
interfaces; 

document  its  contingency  plans; 

require  credit  unions  to  implement  the  necessary  management  controls  to 
ensure  that  these  financial  institutions  have  adequately  mitigated  the  risks 
associated  with  the  Year  2000  problem,  including  (1)  requiring  credit  union 
auditors  to  include  Year  2000  issues  within  the  scope  of  their  management 
and  internal  control  work  and  report  serious  problems  and  corrective 
actions  to  ncua  immediately  and  (2)  providing  auditors  with  the 
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procedures  developed  by  ncua  for  its  examiners  to  use  in  assessing  Year 
2000  compliance  and  any  other  guidance  that  would  be  instructive; 

•  require  credit  unions  to  establish  processes  whereby  credit  union 
management  would  be  responsible  for  certifying  Year  2000  readiness 
including  credit  union  compliance  testing  by  a  qualified  independent  third 
party;  and 

•  determine  (before  the  end  of  1997)  the  level  of  technical  capability  needed 
to  allow  for  a  thorough  review  of  credit  unions’  Year  2000  efforts  and  hire 
or  contract  for  this  capability. 


Agency  Comments 
and  Our  Evaluation 


In  your  October  30, 1997,  letter  response  to  our  testimony,  you  stated  that 
the  testimony  contained  useful  recommendations  and  described  actions 
that  ncua  is  taking  or  has  taken  to  implement  our  recommendations.  These 
actions  included  (1)  implementing  quarterly  credit  union  reporting  of  Year 
2000  status  that  includes  having  credit  union  officials  certify  their  level  of 
progress,  (2)  developing  written  contingency  plans  to  augment  current 
processes  for  administrative  actions,  and  (3)  using  a  contractor  to  perform 
technical  reviews  of  10  electronic  data  processing  vendors.  You  also  stated 
that,  depending  on  the  outcome  of  these  reviews,  ncua  would  consider 
contracting  for  additional  reviews  of  other  electronic  data  processing 
vendors,  credit  unions  that  develop  and  maintain  their  own  systems,  and 
large  credit  unions.  In  addition,  in  a  November  12, 1997,  letter  to  the 
Congress,  you  said  ncua  would  be  issuing  a  letter  to  credit  unions  in 
December  1997  to  describe  the  potential  problems  and  develop 
information  on  steps  credit  unions  should  take  to  manage  the  interface 
issue.  Finally,  on  December  1, 1997,  you  issued  a  letter,  including 
examination  procedures,  to  the  credit  union  supervisory  committees 
notifying  them  of  the  need  for  internal  and  external  auditors  to  review 
Year  2000  plans  and  testing  processes. 

However,  you  also  raised  a  concern  with  one  of  our  recommendations. 
Specifically,  you  stated  that,  as  part  of  its  quarterly  reporting  process,  ncua 
plans  to  require  credit  union  managers  to  certify  their  progress  in 
addressing  the  Year  2000  problem.  You  also  stated  that  independent  third 
party  certification  of  progress  would  be  unnecessarily  burdensome  to  a 
majority  of  credit  unions.  By  requiring  credit  unions  to  certify  their 
progress,  ncua  is  effectively  alerting  credit  unions  that  they  are 
responsible  and  accountable  for  addressing  the  Year  2000  problem  and,  as 
such,  is  a  step  in  the  right  direction.  However,  without  independent 
verification  that  credit  union  systems  are  Year  2000  compliant,  ncua  will 
be  relying  solely  on  management  assertions  and  therefore  will  not  have 
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assurance  that  credit  unions  are  progressing  as  reported.  To  effectively 
mitigate  this  risk,  ncua  needs  to  ensure  that  the  information  being 
reported  to  it  is  accurate  and  reliable.  Consequently,  we  reiterate  our 
recommendation  that  the  certification  process  include  credit  union 
compliance  testing  by  a  qualified  independent  third  party  and  allow 
sufficient  time  for  ncua  to  review  the  results  and  take  appropriate  action, 
if  needed,  before  the  year  2000. 


This  report  contains  recommendations  to  you.  The  head  of  a  federal 
agency  is  required  by  31  U.S.C.  720  to  submit  a  written  statement  on 
actions  taken  on  these  recommendations  to  the  Senate  Committee  on 
Governmental  Affairs  and  the  House  Committee  on  Government  Reform 
and  Oversight  not  later  than  60  days  after  the  date  of  this  report.  A  written 
statement  also  must  be  sent  to  the  House  and  Senate  Committees  on 
Appropriations  with  the  agency’s  first  request  for  appropriations  made 
more  than  60  days  after  the  date  of  this  report. 

We  are  sending  copies  of  this  letter  to  the  Chairmen  and  Ranking  Minority 
Members  of  the  Senate  Committee  on  Banking,  Housing,  and  Urban 
Affairs;  the  House  Committee  on  Banking  and  Financial  Services;  the 
Senate  and  House  Committees  on  Appropriations;  the  Senate  and  House 
Committees  on  the  Budget;  the  Senate  Committee  on  Governmental 
Affairs;  and  the  House  Committee  on  Government  Reform  and  Oversight. 
We  are  also  sending  copies  to  the  Director  of  the  Office  of  Management 
and  Budget,  the  Chairman  of  the  Federal  Reserve  System,  the  Comptroller 
of  the  Currency,  the  Chairman  of  the  Federal  Deposit  Insurance 
Corporation,  and  the  Director  of  the  Office  of  Thrift  Supervision.  Copies 
will  also  be  made  available  to  others  upon  request. 
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Please  contact  me  on  (202)  512-6240  if  you  or  your  staff  have  any 
questions  on  this  report.  Major  contributors  to  this  report  are  listed  in 
appendix  III. 

Sincerely  yours, 


Jack  L.  Brock,  Jr. 

Director,  Information  Management  Issues 
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GAO’s  October  22,  1997  Testimony 


Mr.  Chairman  and  Members  of  The  Subcommittee: 

We  are  pleased  to  be  asked  to  provide  our  views  on  the  progress  being 
made  by  the  National  Credit  Union  Administration  (ncua)  in  ensuring  that 
automated  information  systems  belonging  to  the  thousands  of  credit 
unions  that  ncua  oversees  are  ready  for  the  upcoming  century  date 
change.  If  the  Year  2000  problem  is  not  addressed  in  time;  credit  union 
computer  systems — which  affect  billions  of  dollars  of  assets  and 
transactions — will  be  unable  to  readily  process  transactions  or  produce 
accurate  information.  According  to  ncua.  without  properly  functioning 
systems,  credit  unions  like  other  financial  institutions  face  the  potential  of 
failure. 

This  testimony  is  the  first  in  a  series  of  reports  you  requested  on  the  status 
of  efforts  by  federal  financial  regulatory  agencies  to  ensure  that  the 
organizations  they  oversee  are  ready  to  handle  the  Year  2000  computer 
conversion  challenge.  To  prepare  for  this  testimony,  we  performed  a  quick 
overview  of  ncua's  efforts  to  date  to  ensure  that  credit  unions  have 
adequately  mitigated  the  risks  associated  with  the  Year  2000  date  change 
and  compared  these  activities  to  our  Year  2000  Assessment  Guide.1  In 
performing  the  overview,  we  interviewed  NCUA  officials  responsible  for 
examining  and  overseeing  the  safety  and  soundness  of  credit  union 
management  practices  and  procedures.  We  reviewed  examination  policies, 
procedures,  and  manuals — including  specific  examination  procedures  for 
assessing  Year  2000  compliance.  We  also  reviewed  ncua  correspondence 
to  credit  unions  and  third-party  contractors  (that  provide  automated 
systems  services  to  many  credit  unions)  regarding  the  Year  2000  problem. 
Finally,  we  interviewed  officials  from  the  Credit  Union  National 
Association,  the  National  Association  of  State  Credit  Union  Supervisors, 
and  the  CUNA  Mutual  Group  (which  provides  liability  insurance  for  the 
credit  union  industry).  We  provided  a  draft  of  this  testimony  to  ncua  for 
review  and  comment.  NCUA  officials  stated  that  they  would  provide  written 
comments  at  a  later  date.  We  performed  our  work  at  ncua  headquarters  in 
Alexandria,  Virginia,  between  October  7  arid  17, 1997.  in  accordance  with 
generally  accepted  government  auditing  standards. 


‘Yftar2D0Q  C orating  Crisis:  An  Assessment  Gujde  { GAO/aIM D-1 0.1.14.  Septemoer  isi$7}.  Published 
23  a  exposure  draftin'  Fet.ru  ary  ifi-37  and  finalized  in  September  :?97  the  guide  was  issued  to  help 
federal  agencies  prepare  for  the  Year  20G0  conversion.  It  addresses  common  issues  affecting  most 
federal  agencies  and  presents  a  structured  approach  and  a  checklist  to  aid  ;n  planning,  managing  ana 
evaluating  Year  2000  programs.  The  guide  describes  £ve  phases— supported  by  program  ana  project 
management  activities — with  each  phase  representing  a  major  Year  2000  program  activity  or  segment 
While  the  guide  focuses  on  federal  agencies,  it  ;s  general  enough  that  ncniederai  organizations  can 
also  use  \i  to  assess  their  automated  systems. 
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As  requested,  my  testimony  today  will  highlight  the  Year  2000  problem's 
potential  impact  on  credit  unions  and  their  systems.  I  will  then  discuss 
ncua's  Year  2000  strategy  and  highlight  our  observations  with  its  efforts  to 
ensure  that  credit  unions  are  appropriately  addressing  the  probiem. 

In  summary,  we  found  that  the  Year  2000  problem  poses  a  serious 
dilemma  for  credit  unions  because  they  like  other  financial  institutions 
rely  heavily  on  information  systems.  We  also  found  that  ncua  recognizes 
the  severity  of  the  problem,  has  developed  a  plan,  and  has  initiated  action. 
For  example,  ncua  issued  several  letters  to  the  credit  unions  informing 
them  of  the  risks  associated  with  Year  2000  problem.  In  addition,  working 
in  conjunction  with  other  federal  financial  regulators,  ncca  developed 
procedures  for  examiners  to  use  in  reviewing  credit  union  Year  2000 
efforts.  However,  we  are  concerned  with  ncua  s  approach  because 
(1)  current  agency  efforts  to  determine  industrywide  compliance  are 
behind  the  generally  accepted  schedule  for  achieving  Year  2000 
compliance,  and,  consequently,  ncua  does  not  yet  have  a  complete  picture 
of  where  credit  unions  stand  individually  or  as  an  industry,  (2)  the  agency 
lacks  a  formal,  documented  contingency  plan  in  case  credit  unions  do  not 
become  compliant  in  time  or  have  other  problems,  (3}  credit  union 
internal  auditors  may  not  be  thoroughly  addressing  Year  2000  issues  as 
part  of  their  work,  and  (4)  ncua  does  not  have  enough  technical  capability 
to  conduct  Year  2000  and  other  examinations  in  complex  systems  areas. 


The  Year  2000 
Problem  Poses  a 
Serious  Dilemma  for 
Credit  Unions 


Credit  unions  are  nonprofit  financial  cooperatives  organized  to  proride 
their  members  with  low-cost  financial  services.  According  to  ncua,  as  of 
1996.  federally  insured  credit  union  assets  totaled  $326  billion.  About  one 
in  four  Americans  belongs  to  a  credit  union,  and  credit  unions  accounted 
for  about  2  percent  of  the  total  financial  sendees  in  the  United  States. 

ncua  supervises  and  insures  more  than  7200  federally  chartered  credit 
unions  and  insures  member  deposits  in  an  additional  4,200  state-chartered 
credit  unions  through  the  National  Credit  Union  Share  Insurance  Fund.  As 
part  of  its  goal  of  maintaining  the  safety  and  soundness  of  the  credit 
unions,  ncca  is  responsible  for  ensuring  credit  unions  are  addressing  the 
Year  2000  problem. 

The  Year  2000  problem  is  rooted  in  the  way  dates  are  recorded  and 
computed  in  automated  information  systems.  For  the  past  several 
decades,  systems  have  typically  used  two  digits  to  represent  the  year,  such 
as  “97"  representing  1997,  in  order  to  conserve  on  electronic  data  storage 
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and  reduce  operating  costs.  With  this  two-digit  format  however,  the  year 
2000  is  indistinguishable  from  1900,  or  2001  from  1901.  As  a  result  of  this 
ambiguity,  system  or  application  programs  that  use  dates  to  perform 
calculations,  comparisons,  or  sorting  may  generate  incorrect  results. 

According  to  ncua,  most  credit  unions  rely  on  computers  to  provide  for 
processing  and  updating  of  records  and  a  variety  of  other  functions.  As 
such,  the  Year  2000  problem  poses  a  serious  dilemma  for  the  industry.  For 
example,  the  problem  could  lead  to  numerous  problems  when  calculations 
requiring  the  use  of  dates  are  performed,  such  as  calculating  interest, 
calculating  truth-in-lending  or  truth-in-savings  disclosures,  and 
determining  amortization  schedules.  Moreover,  automated  teller  machines 
may  also  assume  that  all  bank  cards  are  expired  due  to  this  problem.  In 
addition,  errors  caused  by  Year  2000  miscalculations  may  expose 
institutions  and  data  centers  to  financial  liability  and  risk  of  damage  to 
customer  confidence.  Other  systems  important  to  the  day-to-day  business 
of  credit  unions  may  be  affected  as  well.  For  example,  telephone  systems 
could  shut  down  as  can  vaults,  security  and  alarm  systems,  elevators,  and 
fax  machines. 

In  addressing  the  Year  2000  problem,  credit  unions  must  also  consider  the 
computer  systems  that  interface  with,  or  connect  to,  their  own  systems. 
These  systems  may  belong  to  payment  system  partners,  such  as  wire 
transfer  systems,  automated  clearing  houses,  check  clearing  providers, 
credit  card  merchant  and  issuing  systems,  automated  teller  machine 
networks,  electronic,  data  interchange  systems,  and  electronic  benefits 
transfer  systems.  Because  these  systems  are  also  vulnerable  to  the  Year 
2000  problem,  they  can  introduce  and/or  propagate  errors  into  credit 
unions  systems.  Accordingly,  credit  unions  must  develop  comprehensive 
solutions  to  this  problem  and  prevent  unintentional  consequences  from 
affecting  their  systems  and  the  systems  of  others. 

To  address  these  Year  2000  challenges.  GAO  issued  its  Year  2000 
Assessment  Guide2  to  help  federal  agencies  plan,  manage,  and  evaluate 
their  efforts.  The  Office  of  Management  and  Budget  (c.MB),  which  is 
responsible  for  developing  the  Year  2000  strategy  for  federal  agencies,  also 
issued  similar  guidance.  Both  require  a  structured  approach  to  planning 
and  managing  five  delineated  phases  of  an  effective  Year  2000  program. 
The  phases  include  (1)  raising  awareness  of  the  problem.  (2)  assessing  the 
complexity  and  impact  the  problem  can  have  on  systems.  (3)  renovating, 
or  correcting,  systems.  (4)  validating,  or  testing,  corrections,  and 
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(5)  implementing  corrected  systems,  c-ao  has  also  identified  other 
dimensions  to  solving  the  Year  2000  problem,  such  as  identifying 
interfaces  with  outside  organizations  and  their  systems  and  establishing 
agreements  with  these  organizations  specifying  how  data  will  be 
exchanged  in  the  year  2000  and  beyond.  In  addition,  gac  and  omb  have 
established  a  timeline  for  completing  each  o?  the  five  phases  and  believe 
agencies  should  have  completed  assessment  phase  activities  last  summer 
and  should  be  well  into  renovation  with  the  goal  of  completing  this  phase 
by  mid  to  late  199S.  Our  work  at  other  federal  agencies  indicates  that 
because  the  cost  of  systems  failures  can  be  very  high,  contingency  plans 
must  be  prepared  so  that,  core  business  functions  will  continue  to  be 
performed  even  if  systems  have  not  been  made  Year  2000  compliant. 


NCUA  Has  Developed 
a  Strategy  and  Has 
Initiated  Action  to 
Address  the  Year  2000 
Problem 


ncua  has  developed  a  three-pronged  approach  for  ensuring  that  credit 
unions  are  aggressively  addressing  the  Year  2000  problem,  which 
encompasses  (1)  incorporating  the  Year  2000  issue  into  its  examination 
and  supervision  program,  (2)  disseminating  information  about  the  problem 
to  credit  unions,  and  (3)  assessing  Year  2000  compliance  on  the  part  of 
credit  union  data  processing  vendors. 

The  first  aspect  of ncua s  strategy,  the  examination  and  supervision 
program,  involves  assessing  credit  union  Year  2000  efforts  through  regular 
annual  examinations  at  the  7,200  federally  chartered  credit  unions  and  30 
to  40  percent  of  the  4,200  federally  insured,  state  chartered  credit  unions 
for  which  ncua  conducts  an  insurance  review'.  These  examinations  seek  to 
identify  credit  unions  that  are  in  danger  of  not  renovating  their  systems  on 
time  and  to  reach  “formal  agreements"  that  specify  corrective  measures.  In 
conducting  these  reviews,  examiners  are  to  follow  ncua  guidelines,  which 
provide  step-by-step  procedures  for  identifying  problem  areas.  Once  a 
formal  agreement  is  reached,  the  examiner  is  expected  to  monitor  the 
credit  union's  implementation  of  the  agreed-upon  corrective  measures. 
Also  as  part  of  its  examination  effort,  ncua  has  contracted  a  consulting 
firm  to  train  selected  examiners  in  Year  2000  efforts.  Through  this  training, 
ncua  expects  to  have  one  in-house  Year  2000  specialist  available  as  a 
resource  for  every  eight  examiners.  In  addition,  ncua’s  board  recently 
authorized  the  hiring  of  an  electronic  data  processing  (ed?)  auditor  to 
provide  more  in-depth  technical  assistance  and  education  on  Year  2000 
problems. 


Another  part  of  ncu.vs  examination  and  supervision  strategy  includes 
working  with  state  regulators  to  ensure  that  federally  insured,  state 
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chartered  credit  unions  are  also  Year  2000  compliant.  Officials  from  ncI’a 
and  the  National  Association  cf  State  Credit  Union  Supervisors  told  us  that 
all  but  two  state  regulators  are  following  the  same  Year  2000  examination 
strategy  established  by  ncua:  the  other  two  state  regulators  are  planning 
on  performing  added  steps  in  addition  to  performing  those  included  in 
noja's  strategy. 

The  second  aspect  of  ncuas  strategy — information  dissemination— seeks 
to  heighten  credit  union  awareness  of  the  Year  2000  problem.  In  August 
1956  and  June  1557  letters  to  federally  insured  credit  unions,  ncl*a  formally 
alerted  credit  unions  to  the  potential  dangers  of  the  Year  2000  problem, 
identified  the  specific  impacts  the  problem  could  have  on  the  industry, 
provided  detailed  explanations  of  the  problem,  and  identified  steps  needed 
to  conrect  the  problem.  It  also  related  its  plans  to  include  Year  2000 
evaluations  in  regular  examinations  and  provided  credit  unions  with 
copies  of  its  examination  guidance.  In  addition,  ncua  has  appointed  a  Year 
2000  executive  responsible  for  achieving  Year  2000  compliance 
industrywide  and  assigned  Year  2000  compliance  officers  to  its  central 
office  and  six  regional  offices.  These  staff  will  be  responsible  for  serving 
as  Year  2000  focal  points  to  coordinate  efforts  across  the  agency.  Finally, 
NCUa  is  working  with  credit  union  trade  groups,  such  as  the  Credit  Union 
National  Association,  in  raising  awareness  of  Year  2000  issues 

The  third  component  of  N'Or.Vs  program — vendor  compliance — targets 
organizations  that  provide  electronic  data  processing  services  to  credit 
unions.  According  to  ncua.  approximately  40  vendors  provide  data 
processing  sendees  to  76  percent  of  all  federally  insured  credit  unions, 
which  account  for  79  percent  of  federally  insured  credit  union  assets. 
Consequently*  it  is  vital  that  these  vendors  correct  their  own  systems  and 
help  ensure  that  information  can  be  easily  transferred  after  the  Year  2000 
deadline,  ncua  has  begun  identifying  and  contacting  major  edp  vendors, 
and  it  plans  to  assess  their  efforts  through  questionnaires.  Specifically,  in 
May  1997  and  again  in  August  1997,  ncua  mailed  a  questionnaire  to  the  S7 
vendors,  including  the  40  vendors  that  support  the  bulk  of  credit  unions, 
requesting  information  on  Year  2000  readiness  and.  as  of  September  1997, 
had  received  29  responses. 


Concerns  With 
NCUA’s  Year  2000 
Efforts 


While  ncua  has  initiated  actions  to  build  the  Year  2000  issue  into 
examinations  and  to  raise  awareness  about  the  issue  among  credit  unions 
and  their  vendors,  our  work  to  date  has  identified  four  issues  that  must  be 
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addressed  to  provide  greater  assurance  that  ncua  efforts  will  be 
successful. 

First  and  foremost,  of  our  concerns  is  that  ncua  still  dees  not  have  a 
complete  picture  of  where  credit  unions  and  their  vendors  stand  in 
resolving  the  Year  2000  problem,  and  current  efforts  to  determine  credit 
union  compliance  are  behind  the  schedule  established  by  CM3  and  gag.  To 
collect  information  from  the  credit  unions  on  their  Year  2000  s taros,  ncua 
examiners  used  a  high-level  questionnaire  that  inquired  whether  (1)  credit 
union  systems  were  capable  and  ready  to  handle  Year  2000  processing, 

(2)  plans  were  in  place  to  resoive  the  problem.  (3)  enough  funds  were 
budgeted  to  correct  systems,  and  (4)  responsibility  and  reporting 
mechanisms  were  appropriately  established  to  support  the  Year  2000 
effort  N'CUA  issued  a  separate  high-level  questionnaire  to  credit  urdon 
vendors.  However,  as  of  the  time  of  our  work,  ncua  had  not  yet  queued 
20  percent  of  the  credit  unions  and  had  only  received  29  of  the  87  vendor 
responses.  In  addition,  of  the  credit  union  and  vendor  responses  received, 
ncua  has  not  yet  analyzed  the  information  to  determine  which  credit 
unions  and  vendors  are  at  high  risk  of  not  correcting  their  systems  on 
time. 

This  problem  is  compounded  by  the  fact  that  the  ncua  questionnaires  did 
not  inquire  about  the  status  of  efforts  in  completing  each  important  phase 
of  correction:  (1)  raising  awareness  of  the  problem,  (2)  assessing  the 
complexity  and  impact  the  problem  can  have  on  systems,  (3)  renovating, 
or  correcting,  systems,  (4)  validating,  or  testing,  corrections,  and 
(5)  implementing  corrected  systems.  The  questionnaires  also  did  not 
include  system  interface  issues.  For  example,  they  did  not  inquire  about 
(1)  identifying  interfaces  with  outside  organizations  and  their  systems, 
such  as  payment,  check  clearing,  credit  card,  and  benefit  transfer  systems, 
and  (2)  establishing  agreements  with  these  organizations  specifying  how 
data  will  be  exchanged  in  the  year  2000  and  beyond. 

As  a  result,  even  when  ncua  assesses  the  results,  it  still  will  not  have  a 
complete  understanding  of  how  far  along  the  industry  is  in  addressing  the 
problem.  In  addition,  ncua  examinations  are  conducted  only  on  an  annual 
basis.  This  means  that  each  credit  union  will  be  examined  only  two  more 
times  between  the  end  of  1997  and  the  year  2000.  Further,  ncua  has  not  yet 
established  a  formal  mechanism  for  credit  unions  to  submit  interim 
progress  reports  to  provide  an  up-to-date  picture  of  individual  correction 
efforts  between  examinations,  ncua  officials  told  us  that  examiners 
perform  off-site  supervision  in  between  exams  by  tracking  performance 
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via  credit  union  financial  reports  and  by  contacting  credit  union  officials 
should  a  problem  arise.  However,  this  may  not  be  enough  given  the 
seriousness  of  the  problem  and  the  fact  that  the  Year  2000  deadline  is  just 
2  years  away. 

Further  complicating  ncua*s  situation  is  the  fact  that  it  is  still  involved  in 
assessment  phase  activities.  According  to  OMB  and  gao  guidance,  these 
activities  should  have  been  completed  back  in  the  summer.  As  it  stands, 
ncua  does  not  plan  to  complete  them  until  the  end  of  this  calendar  year. 

Accordingly,  we  believe  ncua  should  accelerate  agency  efforts  to  complete 
the  assessment  of  the  state  of  the  industry  by  no  later  than  November  15, 
1997;  rather  than  waiting  until  the  end  of  the  year,  ncua  should  also  collect 
the  necessary  information  to  determine  the  exact  phase  of  each  credit 
union  and  vendor  in  addressing  the  Year  2000  problem.  Because  ncua 
currently  does  not.  have  a  process  in  place  for  interim  reporting  of  this 
information  between  examinations,  ncua  should  require  credit  unions  to 
report  the  precise  status  (phase)  of  their  efforts  on  at  least  a  quarterly 
basis.  One  option  would  be  to  use  the  financial  reports,  commonly 
referred  to  as  call  reports,  that  credit  unions  provide  to  ncua  quarterly.  As 
part  of  this  report,  ncua  should  also  require  credit  unions  to  report  on  the 
status  of  identifying  their  interfaces  to  determine  whether  this  issue  is 
being  adequately  addressed  and,  if  not,  require  credit  unions  to  implement 
such  agreements  as  soon  as  possible. 

A  second  concern  we  have  with  ncuas  efforts  is  that  the  agency  does  not 
yet  have  a  formal  contingency  plan.  Our  Year  2000  Assessment  Guide0 
calls  on  agencies  to  initiate  realistic  contingency  plans  during  the 
assessment  phase  for  critical  systems  to  ensure  the  continuity  of  their  core 
business  processes.  Contingency  planning  is  important  because  it 
identifies  alternative  activities,  which  may  include  manual  and  contract 
procedures,  to  be  employed  should  systems  fail  to  meet  the  Y’ear  2000 
deadline,  ncua  guidance  directs  credit  unions  to  conduct  contingency 
planning,  and  ncua  officials  told  us  that  they  have  developed  numerous 
contingency  options  and  have  discussed  among  the  staff  what  steps  to 
take  should  a  credit  union  not  be  compliant  by  January  I.  2000.  However, 
officials  stated  that  the  precise  actions  have  not  been  documented  in  a 
formal  plan.  Not  having  this  plan  increases  the  risk  of  unnecessary 
problems  in  an  already  uncertain  situation.  Consequently,  we  recommend 
that  ncua  formally  document  its  contingency  plans. 
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A  third  concern  that  we  have  is  that  credit  union  auditors  may  not  be 
addressing  the  Year  2000  problem  as  part  of  their  work.  NCI' A  requires  each 
credit  union  to  perform  supervisory  committee  audits.  These  audits  are  to 
determine  whether  management  practices  and  procedures  are  sufficient  to 
safeguard  members'  assets  and  whether  effective  internal  controls  are  in 
place  to  guard  against  error,  carelessness,  and  fraud.  They  are  conducted 
by  the  credit  union’s  supervisory  committee  staff  or  by  an  outside 
accountant.  However,  ncua  officials  noted  that  such  renews  typically 
focus  on  general  controls  (e.g.,  ensuring  accurate  data  is  entered  into  the 
system,  securing  data  from  unauthorized  use)  and  would  not  specifically 
include  controls  tc  prevent  malfunctions  due  to  the  Year  20GG  problem. 
Audits  are  an  integral  management  control  and  expanding  their  scope  to 
include  important  and  high-risk  Year  2000  issues  is  critical  since  it  would 
provide  credit,  union  management  with  greater  assurance  and 
understanding  about  where  their  institution  stands  in  addressing  the 
problem. 

Accordingly,  we  are  recommending  to  ncua  that  it  require  credit  unions  tc 
implement  the  necessary  management  controls  to  ensure  that  these 
financial  institutions  have  adequately  mitigated  the  risks  associated  with 
the  Year  2000  problem.  Specifically  N icCk  should  require  credit  union 
auditors  to  include  Year  2000  issues  within  the  scope  of  their  management 
and  internal  control  work  and  report  serious  problems  and  corrective 
actions  to  ncua  immediately.  To  aid  credit  'onion  auditors  in  this  effort. 
NCUA  should  provide  the  auditors  with  the  procedures  developed  by  ncua 
for  its  examiners  to  use  in  assessing  Year  2000  compliance  and  any  other 
guidance  that  would  be  instructive. 

We  also  believe  ncua  should  require  credit  unions  to  establish  processes 
whereby  credit  union  management  would  be  responsible  for  certifying 
Year  2000  readiness  by  a  deadline  well  before  the  millennium.  Such  a 
certification  process  should  include  credit  'onion  compliance  testing  by  an 
independent  third  party  and  should  allow  sufficient  time  for  ncua  to 
review  the  results. 

Our  fourth  concern  is  that  ncua  does  not  have  enough  staff  qualified  to 
conduct  examination  work  in  complex  technical  areas.  At  present,  is 
the  process  of  hiring  one  edp  auditor  to  help  examine  thousands  of  credit 
unions.  Recognizing  this  weakness,  ncua  is  considering  hiring  up  to  three 
edp  auditors.  However,  these  personnel  additions  may  still  not  suffice 
given  the  tremendous  workload  and  the  short  time  frame  for  getting  it 
done.  To  mitigate  this  concern,  we  recommend  that  before  the  end  of  the 
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year,  ncua  determine  the  level  cf  technical  capability  needed  to  allow  for 
thorough  renew  of  credit  unions'  Year  2009  efforts  and  hire  or  contract  for 
this  capability. 


Summary 


Our  initial  work  showed  that  ncua  has  made  some  progress  in  addressing 
Year  2000  compliance  issues  for  credit  unions  systems  that  it  regulates. 
However,  we  are  concerned  that  ncua  (1)  is  behind  schedule  and  does  not 
yet  know  the  exact  status  of  credit  union  Year  2000  readiness,  (2)  has  not 
prepared  a  formal,  detailed  plan  for  contingencies,  (3)  does  not.  have 
assurance  that  sufficient  credit  union  management  controls  are  in  place  to 
address  Year  2000  problems,  and  (4)  is  lacking  sufficient  technical 
capability.  These  concerns  lead  us  to  believe  that  ncua  needs  to  do  more 
to  ensure  that  credit  unions  have  adequately  mitigated  the  risks  associated 
with  the  Year  2000  problem,  and  we  have  made  recommendations  to  assist 
ncua  in  addressing  these  issues. 


(51113$) 
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October  30,  1997 


The  Honorable  Robert  Bennett 

Chairman,  Subcommittee  on  Financial  Services  and  Technology 
Committee  on  Banking,  Housing,  and  Urban  Affairs 
United  States  Senate 
Washington,  DC  205-0 

Dear  Chairman  Bennett: 

Thank  you  for  allowing  the  National  Credit  Union  Administration  (NCUA)  time  to 
prepare  an  appropriate  response  to  the  issues  raised  in  the  General  Accounting  Office’s 
(GAO’s)  testimony  before  your  subcommittee  on  October  22.  1997  regarding  NCUA’s 
Year  2000  (Y2K)  efforts.  As  I  stated  in  my  letter  to  you  earlier  this  week,  NCUA 
believes  that  GAO’s  testimony  contains  useful  recommendations  on  quarterly  reporting, 
management  certification  and  notification  to  credit  union  auditors.  However,  NCUA  has 
concerns  over  the  appropriateness  of  some  of  the  observations  and  actions  requested  of 
the  Agency  Additionally,  some  of  the  recommendations  will  require  decisions  by  the 
NCUA  Board  on  policy  and  budgetary  matters. 

Attached  is  a  more  in-depth  analysis  of  the  issues  raised  in  GAO’s  report  and  Agency 
documents  that  clarify  NCUA’s  efforts  to  ensure  that  all  federally  insured  credit  unions  are 
compliant  with  Y2K  requirements.  I  appreciate  the  recommendations  provided  by  GAO. 
Even  though  NCUA  has  limited  resources,  I  believe  the  Agency  has  developed  strategies 
to  appropriately  meet  the  underlying  concern  leading  to  each  of  GAO’s  recommendations. 
During  the  199S  budget  review,  the  NCUA  Board  will  consider,  as  appropriate,  the 
devotion  of  further  resources  to  Y2K  efforts. 

NCUA  developed  an  approach  designed  to  build  a  solid  foundation  in  the  examiner  staff, 
to  assure  that  the  credit  union  industry  is  made  aware  of  the  seriousness  of  the  issue,  and 
that  a  plan  is  in  place  which  will  best  ensure  Agency  as  well  as  industry  compliance.  The 
safety  and  soundness  examination  process  is  still  the  most  critical  of  NCUA’s  initiatives. 
NCUA  has  performed  its  assessment  as  part  of  the  safety  and  soundness  examination  at 
individual  credit  unions,  where  possible,  to  assure  that  a  dialogue  was  started  regarding 
the  Y2K  compliance  process. 

The  NCUA  Board  will  have  the  initial  assessment,  using  the  instrument  approved  by  the 
Federal  Financial  Institutions  Examination  Council  (FFIEC),  completed  by  December  3 1 , 
1997.  This  data  will  identify  the  credit  unions  that  are  not  in  compliance  with  Y2K;  those 
that  have  inadequate  plans  to  achieve  compliance;  and  those  that  are  taking  no  action  at 
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all.  These  results  will  enable  the  Agency  to  develop  more  specific  supervision  plans  for 
1998 

ft  will  not  be  possible  for  NCUA  to  implement  a  new  data  collection  system  to  obtain  the 
information  recommended  by  GAO  to  meet  a  November  1 5th  deadline  due  to  the  large 
amount  of  time  necessary  to  develop,  implement,  and  administer  such  a  program.  The 
Agency  intends  to  implement  a  program  of  quarterly  certifications  oy  credit  union  officials 
as  to  the  level  of  completion  they  have  attained  for  their  critical  systems  for  each  phase  of 
the  process.  NCUA  expects  to  have  this  data  collection  system  in  place  for  a  December 
31,  1997  report  date  with  a  January  31,  1998,  macro  overview  of  the  data.  This  new  data 
collection  system  will  enhance  and  refine  the  data  gathered  during  the  1997  assessment 
efforts. 

3ecause  NCUA  does  not  have  direct  authority  over  credit  union  vendors,  the  Agency  will 
continue  to  pursue  voluntary  cooperation  with  the  data  collection  initiatives  from  the 
information  system  vendors  (ISVs). 

NCUA  will  establish  written  guidelines  for  use  in  augmenting  the  various  policies, 
procedures,  and  agency  instructions  on  administrative  actions.  In  addition,  the  Agency' 
will  continue  its  efforts  to  obtain  information  from  ISVs  as  to  their  capacity  for 
conversions  from  systems  that  are  not  able  to  meet  reasonable  compliance  deadlines. 

Agency  staff  drafted  a  letter  to  credit  union  supervisory  committees  that  will  address  the 
need  for  internal  and  external  auditors  to  review  the  Y2K  plans  and  testing  processes 
NCUA’s  current  regulation  requires  an  assessment  of  the  internal  controls  in  the  credit 
union.  Y2K  is  obviously  part  of  the  internal  control  issues  and.  therefore,  is  covered  by 
Aaencv  regulations.  Net  only  will  NCUA  attach  the  Y2K  examination  procedures  to  that 
letter  for  the  auditors'  information  and  use,  but  wall  also  include  the  Y2K  checklists  and 
guidance  recently  prepared  for  NCUA  by  Coopers  &  Lybrand.  This  ietter  is  proposed  for 
release  in  early  November. 

While  NCUA  cannot  hire  sufficient  additional  staff  to  bring  the  technical  expertise  to  an 
appreciably  higher  level  than  what  currently  exists  due  to  the  time  and  resources  needed 
for  such  recruitment,  the  Agency  contracted  with  Coopers  &  Lybrand  to  review  the  ten 
largest  ISVs.  NCUA  is  also  exploring  the  possibility  of  extending  contracts  for  reviews  of 
additional  ISVs,  credit  unions  with  in-house  systems,  and  select  large  credit  unions. 

Before  committing  the  resources  to  this  venture,  the  Agency  intends  to  assess  the  current 
contractor’s  efforts  in  the  initial  ten  ISV  reviews.  The  1998  budget  proposes  a 
41  percent  increase  in  the  supervision  and  Y2K  resource  allocation. 

Again.  I  want  to  thank  you  for  allowing  us  an  opportunity  to  provide  additional 
information  on  NCUA’s  current  activities  and  plans  for  future  supervision  actions.  The 
Agency's  supervision  cf  this  area  wiil  continue  to  evolve  as  the  examiners  and  \ 2K  staff 
interact  with  credit  unions  and  determine  areas  that  must  be  addressed. 
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Please  feel  free  to  forward  any  additional  questions  you  have  on  this  matter.  NCUA  looks 
forward  to  the  opportunity  to  discuss  the  program  further. 


Sincerely, 

S  Norman  E.  D’ Amours 
Chairman 


Cindy  Sprunger,  House  Banking  Committee 
Gary  Mount] oy,  General  Accounting  Office 
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-  National  Credit  Union  Administration  ■ 

NCUA’S  RESPONSE 
OCTOBER  22, 1997  GAO  TESTIMONY 


AGENCY  PROGRAM 


BACKGROUND 

NCUA  has  adopted  the  Federal  Financial  Institutions  Examination  Council  plan  for 
managing  the  industry’s  efforts  to  become  Y2K  compliant.  NCUA  works  closely  with  the 
FFIEC  working  groups  on  Y2K  issues.  The  assessment  questionnaire  being  used  by  the 
Agency  is  the  questionnaire  developed  by  the  FFIEC  group  for  use  by  ail  financial 
regulators. 

GENERAL  SUPERVISION  APPROACH 

Credit  unions  come  in  a  wide  variety  of  asset  size  and  operational  complexity. 
Consequently,  NCUA’s  examination  and  supervision  approach  must  meet  many  diverse 
needs  in  assuring  the  safety  and  soundness  of  the  industry.  NCUA’s  program  is  developed 
to  maintain  maximum  flexibility  which  enhances  the  ability  to  react  not  only  quickly,  but 
appropriately  to  the  unique  factual  situations  presented  by  any  range  of  credit  union 
problems.  While  Agency  staff  may  use  the  same  tools  in  each  examination,  they  do  not 
use  a  “cookie  eutteri’  approach  to  resolving  problems.  Such  an  approach,  in  addition  to 
stifling  innovation,  would  unnecessarily  and  inappropriately  micro  manage  credit  unions. 
NCUA  works  to  keep  the  accountability  and  responsibility  for  corrective  actions  needed 
tc  obtain  the  desired  results  squarely  in  the  hands  of  the  credit  union  management.  NCUA 
then  evaluates  the  results  and  the  process  used  to  achieve  the  results. 

NCUA  has  established  a  basic  foundation  on  Y2K  in  both  the  examiner  ranks  and  the 
credit  union  community.  NCUA  established  that  foundation  internally  through  a  hierarchy 
of  Y2K  Specialists  at  the  supervisory  examiner  group,  regional,  and  national  levels.  The 
Agency  raised  awareness  within  the  industry  through  a  series  of  three  Letters  to  Credit 
Unions,  publication  of  several  articles,  many  speaking  engagements,  and  the  establishment 
of  a  Y2K  section  in  the  Agency’s  web  site.  The  Agency  Y2K  program  takes  advantage  of 
the  training  potential  in  the  normal  examination/supervision  process  between  the  examiner 
and  credit  union  officials  and  staff.  Additional  training  has  increased  technical  competence 
and  familiarity  among  the  examiners  on  this  technical  issue.  Consequently,  their 
effectiveness  in  dealing  with  Y2K  has  been  increased  by  casting  the  problem  in  familiar 
terms  of  management  controls  over  an  EDP  conversion  process.  NCUA  also  cast  the 
Agency’s  Y2K  enforcement  efforts  into  the  normal  actions  taken  when  any  credit  union 
has  a  area  of  concern  that  must  be  corrected. 
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GAO  RECOMMENDATIONS 

ASSESSMENT  OF  Y2K  READINESS 

GAO’s  testimony  provides  some  quality  recommendations  in  this  area  that  NCUA  will 
pursue.  However,  some  of  the  observations  need  clarification  and  the  deadlines  are  not 
attainable. 

Credit  Union  Readiness 

As  stated  earlier,  NCUA’s  questionnaire  process  is  part  of  an  interagency  approach  to 
determining  the  status  of  financial  institutions.  The  questionnaire  is  being  completed  by 
examiners  as  they  examine  the  individual  credit  unions  on  site  or  perform  off-site 
supervision  contacts. 

In  its  testimony,  the  GAO  is  critical  of  a  perceived  lack  of  attention  to  the  interface  and 
payment  systems  issues.  In  NCUA’s  letter  to  ail  federally  insured  credit  unions  on  June  3, 
1997,  the  interface  issues  are  discussed  and  the  risks  for  credit  unions  are  outlined. 

Review  of  NCUA  Letters  to  Credit  Unions  with  credit  union  management  represents  a 
normal  pan  of  the  supervision  process.  In  addition ,  the  examination  procedures 
distributed  at  Y2K  training  for  the  Agency 's  group  specialists  address  this  issue 
specifically.  NCUA  believe  this  information  is  picked  up  in  the  first  question  in  the 
FFIEC  questionnaire  as  it  requests  whether  the  hardware,  software,  and 
telecommunication  systems  used  by  the  credit  union  are  in  compliance.  All  of  the  interface 
and  payment  systems  fail  into  at  least  one  of  these  categories. 

NCUA  has  also  taken  a  first  look  at  the  data,  and  found  a  number  of  false  positive 
responses.  Agency  staff  communicated  that  fact  to  the  GAO  investigators.  NCUA  is  in 
the  process  of  working  with  the  Agency’s  regional  directors  and  examiners  to  correct  the 
data  and  assure  that  all  the  questions  are  being  answered  in  a  consistent  and  accurate 
manner.  It  is  important  that  any  misconceptions  regarding  the  content  of  specific 
questions  are  cleared  up  with  Agency  staff  to  avoid  reporting  inaccurate  results  to  external 
parties. 

The  GAO  noted  that  the  questionnaire  “does  not  inquire  into  the  status  of  efforts  in 
completing  each  phase  of  correction.”  Agenc>’  staff  estimates  that  developing  and 
implementing  a  new  data  collection  system  would  lake  a  minimum  of  60  days,  well  beyond 
the  GAO  recommended  deadline  of  November  15,  1997.  NCUA  will  develop  a  system, 
implement  the  system,  and  have  examiners  collect  valid  information  on  the  1 1,300 
federally  insured  credit  unions  to  track  the  ongoing  status  of  Y2K  compliance. 

3v  December  31,  i  997,  through  the  FFIEC  data  collection  process,  NCUA  will  know 
those  credit  unions  that  are  not  compliant,  those  that  have  a  deficient  action  plan  in  place, 
and  those  that  are  doing  nothing.  The  Agency's  supervision  process  for  1998  will  be 
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further  refined  upon  collection  of  this  information*  as  covered  in  the  FFIEC  Y2K  Project 
Management  Plan  issued  in  May  1997  NCUA  supervision  may  include  on-site  contacts, 
early  examinations,  and  other  administrative  actions  depending  upon  each  credit  union’s 
specific  factual  situation. 

The  GAO  comments  regarding  quarterly  reporting  and  management  certification  will  be 
incorporated  to  evolve  NCUA’s  supervision  approach  to  its  next  logical  level. 
Unfortunately,  the  use  of  a  third  party  certification  and  testing  agent  is  not  feasible 
considering  the  resources  available  to  most  of  the  credit  unions.  In  recent  testimony. 
Harris  N.  Miller,  President  of  the  Information  Technology  Association  cf  America 
(ITAA),  stated  that  an  adequate  amount  of  staff  has  to  be  available  to  complete  just  the 
questionnaire  portion  cf  the  certification  process  ITAA  is  using.  In  addition,  Mr.  Miller 
goes  on  to  discuss  the  fact  that  ITAA's  certification  program  does  not  “test  software  per 
$e  in  every  environment  in  which  they  use  it,”  but  rather  the  “focus  is  on  the  processes  and 
methods  that  organizations  use  to  develop  Y2K  software."  ITAA’s  approach  does  not 
differ  significantly  from  the  work  being  done  by  NCUA  examiners*  except  that  in  addition 
to  reviewing  processes  and  methods,  NCUA  looks  for  results.  Credit  unions  tend  to  have 
very  lean  staff  levels.  Requiring  the  type  of  third  party  certification  discussed  in  Mr. 
Miller's  testimony  may  be  unnecessarily  burdensome  to  a  majority  of  credit  unions. 

NCUA  is  looking  to  implement  a  system  that  will  require  credit  union  managers  to  certify 
their  level  of  completion  on  each  of  the  five  phases  on  a  quarterly  basis.  To  collect  this 
data  and  certification  requires  an  OMB  number  under  the  Paperwork  Reduction  Act. 

Even  if  NCUA  obtains  OMB  approval  for  emergency  processing.  Agency  staffbeiieves 
that  it  will  take  almost  30  days  to  complete.  Without  approval  for  emergency  processing, 
this  process  takes  at  least  90  to  120  days.  NCUA  will  immediately  pursue  the  emergency 
processing  of  an  OMB  number.  If  NCUA  is  not  approved  for  emergency  processing,  the 
Agency  will  begin  to  use  the  certification  on  a  volunteer  basis  until  the  data  collection 
form  is  approved.  NCUA  plans  to  collect  the  first  information  under  this  program  as  of 
December  31,  1997.  The  data  wifi  flow  to  Agency  examiners  and  regional  offices  for 
updating  each  credit  union’s  individual  supervision  plan,  and  then  will  be  captured  on  a 
national  basis  for  macro  reporting.  The  first  renorr  should  be  available  bv  January  3 1 
1998 

The  GAO  testimony  indicates  that  NCUA  is  only  on-site  at  a  credit  union  during  the 
annual  examination.  The  Agency’s  supervision  includes  both  off-site  monitoring  and  on¬ 
site  contacts.  Of  the  79,730  hours  in  supervision  used  to  date  in  1997.  43,047  hours  were 
for  on-site  contacts  or  54%.  The  proposed  budget  for  1998  includes  over  100,000  hours 
of  supervision  time  above  the  550.000  hours  of  examination  time  ana  an  additional  42,000 
hours  for  Y2K  oversight.  The  combination  of  1998’s  proposed  supervision  and  Y2K  time 
represents  a  41%  increase  over  1997 
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EDP  Vendor  Readiness 

NCUA  staff  provided  the  GAO  with  a  legal  opinion  from  the  Office  of  General  Counsel 
•  hat  states  that  the  Agency's  ability  to  obtain  information  from  ISVs  is  limited  to  voluntary 
cooperation  or  subpoena  power.  While  unable  to  meet  GAO's  requirement  that  NCUA 
determine  the  compliance  status  of  the  IS  Vs  by  November  15th.  the  Agency  is  exploring 
avenues  regarding  the  ISV  issues  which  balance  the  activities  with  the  potential  to  cause 
the  vendor  substantial  competitive  harm.  Any  vendor  that  either  lost  clients  or  went  out 
of  business  would  adversely  affect  their  diem  credit  unions  and  potentially  cause 
unnecessary  losses  to  the  NCUSIF. 

NCUA's  outside  contractor  is  proceeding  to  conduct  Y2K  reviews  on  a  voluntary  basis  at 
the  ten  largest  ISVs  starting  December  1997  through  February  1998  The  initial  10 
reviews  should  cover  approximately  6500  credit  unions  with  EDP  systems  or  58%  of  the 
total  federally  insured  credit  unions.  Additional  reviews  will  be  conducted  as  appropriate. 
The  review  report  will  evaluate  the  following; 

•  The  state  of  compliance  or  non-compliance  of  the  ISV,  and  the 
potential  impact  on  credit  unions  of  its  specific  areas  of  non- 
compliance; 

•  An  assessment  of  the  ISV’s  understanding  of  the  problem  and  their 
specific  vulnerabilities,  and  a  summary  of  their  plans  to  resolve  the 
problem; 

•  An  assessment  of  the  viability  and  timeliness  of  plans  to  resolve  the 
problem;  and 

•  An  assessment  of  the  extent  of  the  problems  found  in  terms  of  the 
number  and  size  of  credit  unions  serviced  by  the  ISV 

Summary 

NCUA’s  approach  of  building  a  solid  foundation  in  its  examiner  staff  and  assuring  that  the 
credit  union  industry  was  made  aware  of  the  seriousness  of  the  issue  was  a  necessary  first 
step.  The  safety  and  soundness  examination  process  is  still  the  most  critical  of  the 
Agency’s  several  initiatives.  NCUA  has  performed  the  assessment  as  part  of  the  safety 
and  soundness  examination,  where  possible,  to  assure  that  a  dialogue  regarding  the 
compliance  process  was  started  and  resources  were  minimized  by  reducing  the  number  of 
trips  to  a  credit  union  site.  This  initial  assessment  will  be  completed  on  ail  credit  unions  by 
December  31,  1997. 

CONTINGENCY  PLANNING 

NCUA  routinely  works  with  credit  unions  that  find  themselves  in  problem  situations.  The 
Agency  has  regional  director  delegated  authority,  policies  and  procedures,  instructions, 
manuals,  and  tracking  systems  for  the  assistance  and  administrative  actions.  This  aspect  of 
credit  union  supervision  is  not  unusual  for  the  Agency  NCUA  wiii  treat  Y2K  major 
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problems  with  the  same  swift  administrative  action  that  it  uses  for  any  crisis  faced  by  a 
credit  union  and  weii  in  advance  of  December  1999.  NCUA  will  develop  additional 
written  guidance  augmenting  the  current  documented  processes  for  administrative  action. 
Agency  staff  expeas  this  work  to  be  completed  by  November  30,  1997 

Part  of  NCUA’ s  contingency  planning  includes  assessing  the  potential  excess  capacity  in 
the  industry  for  EDP  services.  The  Agency  will  be  holding  a  vendor  conference  in 
December  and  at  that  time  will  develop  information  regarding  the  vendors’  ability  to 
absorb  new  clients.  The  information  will  look  at  total  numbers  and  the  speed  with  which 
credit  unions  could  be  convened  to  a  compliant  system,  This  information  will  be  built  into 
the  written  plan  NCUA  develops  to  augment  the  current  administrative  action  processes. 

Because  NCUA  has  no  statutory  supervisor/  authority  over  the  IS  Vs,  all  of  the  agency’s 
activities  with  the  vendors  must  be  on  a  voluntary  basts.  Accordingly,  NCUA  is  still 
pursuing  ways  that  the  Agency'  can  iegally  convey  information  regarding  a  vendor’s 
compliance  or  lack  thereof  without  stepping  across  the  boundary  of  causing  “substantial 
competitive  harm.”  Through  conferences,  letters  to  the  vendors,  and  publication  of  the 
contingency  plans,  the  Agency  should  be  able  to  attain  voluntary  compliance  from  a 
majority  of  the  vendors. 

USE  OF  CREDIT  UNION  SUPERVISORY  COMMITTEE  AUDITORS 

NCUA  has  not  singled  out  the  activities  of  the  credit  union  supervisory  committee  internal 
and  external  auditors  in  the  Y2K  arena  for  special  review.  NCUA's  regulation  requires 
the  supervisory  committee  or  its  designee  to  assess  the  control  structure  at  the  credit 
union  at  least  annually.  The  Agency  believes  that  to  meet  the  regulation,  external  auditors 
should  at  least  assess  the  credit  union's  progress  towards  Y2K  compliance  as  it  is  a  major 
internal  control  issue. 

However,  since  NCUA  has  not  yet  specifically  addressed  this  issue,  the  Agency  now  plans 
to  send  a  letter  to  the  chairman  of  each  credit  union's  supervisory  committee.  This  will 
put  the  supervisory  committee  on  notice  that  they  should  use  their  resources  to  ensure  the 
operational  integrity  of  the  credit  union’s  systems.  This  NCUA  letter  will  re-emphasize 
the  regulatory  requirement.  It  will  also  recommend  that  credit  unions  with  internal 
auditors  use  them  to  review  and  validate  the  testing  process  on  an  ongoing  basis.  In 
addition,  the  letter  will  urge  supervisory  committees  to  complete  the  Y2K  compliance 
review  early  in  the  audit  cycle,  rather  than  later. 

i  he  GAO  testimony  suggests  that  NCUA  forward  the  examination  procedures  to  the 
auditors  used  by  credit  unions.  NCUA  forwarded  the  examination  procedures  to  each 
federal  credit  union  earlier  this  year.  Wile,  in  theory,  this  should  assure  that  they  are 
available  for  the  auditor.  NCUA  will  also  attach  the  procedures  to  the  letter  to  the 
supervisory  committee  chair. 
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NCUA  TECHNICAL  CAPABILITY 

While  NCUA  does  not  currently  employ  any  EDP  auditors,  the  Agency  is  recruiting  for 
one  approved  position.  While  the  Board  will  consider  increasing  the  number  of  EDP 
auditors  to  three  for  the  1998  budget  cycle,  at  present  the  Agency  has  neither  the 
resources  nor  sufficient  time  to  hire  and  develop  a  larger  staff  of  EDP  Auditors. 

Therefore,  the  Agency  must  look  to  alternative  ways  to  meet  its  responsibilities  in  this 
area. 

NCUA  hired  Coopers  &  Lybrand  on  August  25,  1997.  In  addition  to  the  EDP  reviews 
cited  above.  Coopers  &  Lybrand  has  conducted  training  seminars  for  the  examiner  staff  in 
the  basic  issues  to  review  in  each  credit  union.  Since  examiners  cannot  perform  the 
application  checks,  NCUA  must  instead  insist  that  the  credit  union  have  a  viable  plan  to 
implement  and  assess  those  checks.  Again,  NCUA  must  recast  the  problem  into  one  that 
is  workable  within  the  Agency’s  constraints.  NCUA  holds  each  credit  union  accountable 
and  responsible  for  conducting  the  appropriate  testing  and  review  of  internal  controls, 
rather  than  having  Agency  staff  perform  that  testing.  The  Agency  has  the  expertise  to 
assure  that  credit  unions  meet  their  plans,  assess  the  test  results,  and  take  appropriate 
action  to  revise  the  plan  as  needed  based  on  those  results.  NCUA  has  the  ability  to  take 
administrative  action  when  the  process  is  not  working. 

NCUA*  s  Information  System  Specialist  positions,  even  at  the  proposed  level  of  three, 
cannot  possibly  perform  all  the  Y2K  work.  That  effort  was  never  envisioned  as  part  of 
their  function.  The  positions  are  being  established  to  provide  technical  expertise  to  assist 
the  Agency  in  developing  long-range  plans  for  dealing  with  a  proliferation  of  information 
systems  issues  within  credit  unions,  of  which  Y2K  is  one.  EDP  Auditors  will  provide 
leadership  on  Y2K  and  other  issues  within  the  Agency  and  to  the  credit  unions. 

NCUA  has  contracted  with  Coopers  &  Lybrand  to  review  ten  IS  Vs,  on  a  voluntary  basis. 
Based  on  the  assessment  of  the  quality  and  benefit  of  those  reviews,  the  Agency  will 
consider  contracting  for  additional  reviews  in  three  areas: 

1 .  Other  EDP  vendors; 

2.  In-house  system  credit  unions;  and 

3.  Large  credit  unions. 

The  NCUA  Board  will  make  the  final  decision  regarding  the  resources  that  should  be 
committed  to  further  reviews  The  information  developed  in  the  first  ten  reviews  by 
Coopers  &  Lybrand  will  provide  a  basis  upon  which  to  make  recommendations  for 
additional  outside  contract  review's.  Contracting  for  expertise  is  the  only  viable  option  to 
enhance  the  technical  capabilities  at  this  point. 
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